Geeklog 1.5.2sr2

Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This issue allowed an attacker to extract the password hash for any account and is fixed with this release. Please note that this problem exists in all Geeklog versions prior to 1.5.2sr2.

The upgrade tarball contains only one file (a drop-in replacement for lib-sessions.php) and can also be used to fix the issue on Geeklog 1.4.1, 1.5.0, and 1.5.1.

As a temporary measure (and to secure older Geeklog releases that are not supported any more), you can also make the following configuration change, at the risk of inconveniencing some of your users:

In Geeklog 1.5.x, go to Configuration > Geeklog > Miscellaneous > Cookies and change the option "Cookies embed IP?" to "True". On older Geeklog releases, open your config.php file, find the option $_CONF['cookie_ip'] and change the value to = 1; (from = 0). The downside of this configuration change is that the long-term cookie won't work any more for users with changing IP addresses, i.e. they will have to log in again more often.

After I sign in on a geeklog 1.4.1 patched is like I'm not log in, user login block is still there and I can't access to admin aera. If I un-patch the cms and refresh the page I'm log in and can now access to the admin features.

Applying this patch (lib-session.php) to Geeklog-1.5.0 prevented me from loggin into the site (on MS Windows and Linux). When I undid the patch, I was able to log in again. I don't have this inconvenience with GL-1.5.1, though.